Alex Hutton Principal, Risk & Intelligence - Verizon Business http://securityblog.verizonbusiness.com http://www.newschoolsecurity.com Society of Information Risk Analysts http://societyinforisk.org/ @alexhutton on the twitter Threat Modeling Allison Miller Group Manager, Account Risk & Security - PayPal LIVE
75
Embed
2010.08 Applied Threat Modeling: Live (Hutton/Miller)
Alex Hutton & Allison Miller review their research and application of threat modeling. This version was presented at SOURCE Barcelona (2010), a previous version was presented at Black Hat.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Alex HuttonPrincipal, Risk & Intelligence - Verizon Business
what is this presentation about?- new way to look at risk management via
data and threat modeling
what is a model?
what is risk management?
Managing risk means aligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners
- Jack Jones
Managing risk means aligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners
control, influence over outcome
threats manifest as loss of assets
how much can you afford to lose?
Traditional Risk Management
Find issue, call issue bad, fix issue, hope you don’t find it again...
Traditional Risk Management
emphasis on assessment, compliance...what about security?
Closing the Gap
Between Assessment and Defense
Design
Management
Operations
Design
Evolution strongly favors strategies that minimize the risk of loss, rather than which maximize the chance of gain.
Len FisherRock, Paper, Scissors: Game Theory in Everyday Life
system models are different from maps, they include dynamics and boundaries
Management
risk management that simply reacts to yesterday's news is not risk management at all
Douglas HubbardThe Failure of Risk Management
the importance of feedback loop instrumentation
(that‘s where metrics come from)
Operations
Prediction is very difficult, especially about the future
Niels Bohr
Models in operations tend to assist in automating system decisions, or monitoring for quality defects
This means we need to understand what makes a good decision vs a bad decision
Patterns that can be defined can be detected
…and defining patterns means analyzing lots and lots of data
We don't talk about what we see; we see only what we can talk about
Donella Meadows Thinking in Systems: A Primer
Friederich Hayek invades our dreams to give us visions of a new approach
These “risk” statements you’re making, I don’t think you’re doing it right.
- (Chillin’ Friederich Hayek)
Risk Assessment Current Practice
Dutch Model, Likelihood & Impact statement
very physics/engineering oriented
from Mark Curphey’s SecurityBullshit
ComplexSystems
Complex AdaptiveSystems
Complex Adaptive Systems:
You can’t make point probabilities (sorry ALE) you can only work with patterns of information
How Complex Systems Fail (Being a Short Treatise on the Nature of Failure; How Failure is Evaluated; How Failure is Attributed to Proximate Cause; and the Resulting New Understanding of Patient Safety)
Richard I. Cook, MD Cognitive technologies Laboratory University of Chicago